Data Retention Policy

1. Introduction

This Data Retention Policy explains how long PYROCOMPLY retains your data and the reasons for these retention periods. We retain data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Building Safety Act 2022
• Regulatory Reform (Fire Safety) Order 2005
• PAS 79: Fire Risk Assessment Guidance

2. Data Retention Schedule

3. Golden Thread Requirements

Under the Building Safety Act 2022, certain buildings require a "Golden Thread" of building safety information that must be maintained throughout the building's lifecycle. This includes:

• Design and construction information
• Fire safety systems documentation
• Inspection and maintenance records
• Changes to the building
• Compliance certificates

4. Data Deletion Procedures

4.1 Automatic Deletion

Data that has exceeded its retention period is automatically flagged for review and, where appropriate, securely deleted or anonymised.

4.2 User Requested Deletion

Users may request deletion of their personal data. We will comply unless:

• The data is required for legal compliance (e.g., fire safety records)
• The data is subject to ongoing legal proceedings
• The data forms part of Golden Thread documentation
• Retention is required for public safety reasons

4.3 Account Closure

When you close your account:

• Personal identifiable information is deleted within 30 days
• Compliance records are retained as per regulatory requirements
• You have 30 days to export your data before deletion
• Audit logs are anonymised but retained for compliance

5. Data Archiving

After the active retention period, data may be archived rather than deleted:

• Archived data is stored in secure, encrypted cold storage
• Access to archived data is restricted to authorised personnel
• Archived data is used only for legal/compliance purposes
• Regular audits ensure archive integrity

6. Legal Holds

Data may be retained beyond normal retention periods when:

• Subject to litigation or legal proceedings
• Required for regulatory investigation
• Part of an enforcement action
• Required by court order

7. Data Portability

You can export your data at any time in the following formats:

• PDF: For inspection reports and certificates
• Excel: For asset and inspection data
• JSON: For technical data integration
• CSV: For bulk data export

Contact support@pyrocomply.com for bulk export requests.

8. Third-Party Data Processors

Our data processors are contractually required to:

• Process data only on our instructions
• Delete or return data upon termination
• Maintain equivalent security standards
• Assist with data subject requests

9. Security During Retention

All retained data is protected by:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Role-based access controls
• Regular security audits
• Intrusion detection systems
• Backup redundancy

10. Review and Updates

This policy is reviewed annually or when:

• Legislation changes
• New regulatory guidance is issued
• Our services change significantly
• Industry best practices evolve

11. Contact

For questions about data retention or to request data deletion:

12. Regulatory References

• UK GDPR Article 5(1)(e) - Storage Limitation
• UK GDPR Article 17 - Right to Erasure
• Building Safety Act 2022 - Golden Thread Requirements
• Regulatory Reform (Fire Safety) Order 2005
• PAS 79:2020 - Fire Risk Assessment
• PAS 8903:2023 - Golden Thread Standard
• BS 9999:2017 - Fire Safety in Buildings